b'             Audit Report\n\n\n\n    Access to Social Security\n   Administration Data at the\nDisability Determination Services\n\n\n\n\n       A-15-11-01127| January 2013\n\x0cMEMORANDUM\n\n\nDate:      January 29, 2013                                                      Refer To:\n\nTo:        The Commissioner\nFrom:      Inspector General\nSubject:   Access to Social Security Administration Data at the Disability Determination Services\n           (A-15-11-01127)\n\n           The attached final report presents the results of our audit. Our objectives were to determine\n           whether (1) security profiles assigned to disability determination services (DDS) employees\n           provide access to Social Security Administration (SSA) data they do not need, (2) terminated\n           DDS employees continue to have access to SSA systems, and (3) DDSs have an appropriate\n           process for requesting and approving access to SSA systems.\n\n           If you wish to discuss the final report, please call me or have your staff contact\n           Steven L. Schaeffer, Assistant Inspector General for Audit, at (410) 965-9700.\n\n\n\n\n                                                         Patrick P. O\xe2\x80\x99Carroll, Jr.\n\n           Attachment\n\x0cSummary of Access to Social Security Administration Data at the\nDisability Determination Services\nA-15-11-01127\nJanuary 2013\n\nObjective                                   Our Findings\n\nTo determine whether (1) security           DDSs have a responsibility to safeguard sensitive SSA data\nprofiles assigned to disability             entrusted to them to ensure SSA DDS systems are not\ndetermination services (DDS)                compromised. We reviewed DDS employees\xe2\x80\x99 systems access at\nemployees provide access to Social          14 DDSs nationwide. Although the Agency has controls in place to\nSecurity Administration (SSA) data          review DDS employee access, we found that DDS employees were\nthey do not need, (2) terminated DDS        granted unnecessary access. We noted that DDS employees were\nemployees continue to have access to        assigned profiles that were not appropriate for their job functions\nSSA systems, and (3) DDSs have an           and profiles that had not been used for an extended period of time.\nappropriate process for requesting and      We also found that there was not a consistent process among the\napproving access to SSA systems.            DDSs for removing access of terminated employees. This\n                                            potentially led to the untimely removal of access for several\nBackground                                  employees. By not removing separated employees\xe2\x80\x99 system access\n                                            timely, personnel may have inappropriate access to SSA systems.\nSSA\xe2\x80\x99s systems access policy is built on     DDSs should formally document the processes for obtaining and\nthe principles of least privilege and       removing access to ensure procedures are followed consistently.\nneed-to-know. Controlling and               We found that several DDSs did not have formally documented\nlimiting systems access to the              policies and procedures.\nAgency\xe2\x80\x99s information systems and\nresources is the first line of defense in   Our Recommendations\nassuring the confidentiality, integrity,\nand availability of the Agency\xe2\x80\x99s            Because the issues noted above have previously been identified as\ninformation technology resources.           part of the Fiscal Year 2011 Financial Statement Audit and are still\n                                            ongoing, we recommend that the Agency strengthen various\n                                            policies to ensure that systems access for DDS employees is\n                                            monitored and maintained properly.\n\n                                            The Agency agreed with our recommendations.\n\x0cTABLE OF CONTENTS\nObjective ..........................................................................................................................................1\nBackground ......................................................................................................................................1\n     Systems Access ..........................................................................................................................2\n           Prior Audit Findings ............................................................................................................3\nResults of Review ............................................................................................................................3\n     DDS Employees Granted Unnecessary Access .........................................................................4\n           Profiles Provided by the Agency Compared to DDS Profiles .............................................4\n           Assigned Profiles Compared to Job Titles and Descriptions ...............................................5\n           Nonuse of Profiles and PINs ................................................................................................6\n     Terminated Employees ..............................................................................................................8\n           Accounts with Inactive Status ..............................................................................................9\n           Accounts with Active Status ................................................................................................9\n           Temporary Employees .......................................................................................................10\n           Procedures for Deactivating and Deleting PINs ................................................................11\n     DDS Documented Process .......................................................................................................11\nConclusions ....................................................................................................................................12\nRecommendations ..........................................................................................................................13\nAgency Comments .........................................................................................................................13\nAppendix A \xe2\x80\x93 Scope and Methodology ..................................................................................... A-1\nAppendix B \xe2\x80\x93 Inactive Profiles and PINs per State ................................................................... B-1\nAppendix C \xe2\x80\x93 Agency Comments .............................................................................................. C-1\nAppendix D \xe2\x80\x93 Major Contributors.............................................................................................. D-1\n\n\n\n\nAccess to Social Security Administration Data at the DDSs (A-15-11-01127)\n\x0cABBREVIATIONS\nC.F.R.               Code of Federal Regulations\n\nCSI                  Center for Security and Integrity\n\nDDS                  Disability Determination Services\n\nISSH                 Information Systems Security Handbook\n\nIT                   Information Technology\n\nODD                  Office of Disability Determinations\n\nPIN                  Personal Identification Number\n\nPOMS                 Program Operations Manual System\n\nPub. L. No.          Public Law Number\n\nRO                   Regional Office\n\nSSA                  Social Security Administration\n\nTEC                  Triennial Certification\n\n\n\n\nAccess to Social Security Administration Data at the DDSs (A-15-11-01127)\n\x0cOBJECTIVE\nOur objectives were to determine whether (1) security profiles assigned to disability\ndetermination services (DDS) employees provide access to Social Security Administration (SSA)\ndata they do not need, (2) terminated DDS employees continue to have access to SSA systems,\nand (3) DDSs have an appropriate process for requesting and approving access to SSA systems.\n\nBACKGROUND\nOn September 1, 1954, President Eisenhower signed into law the Social Security Amendments of\n1954. 1 As part of the Amendments, the law sets forth the conditions for making disability\ndeterminations. The State Vocational Rehabilitation Agencies or other appropriate State\nagencies, under agreements with the Secretary of Health, Education, and Welfare, 2 would\ndetermine whether the individual was suffering from a disability and the days the disability\nbegan and ceased.\n\nIn June 1980, Congress passed additional legislation strengthening the disability program. 3 In\npassing the 1980 legislation, Congress sought to ensure effective and uniform administration of\nthe disability programs nationwide by strengthening the Federal management of the State\ndisability determination process. To this end, it abolished the system of individual State\nagreements. It also required that the Secretary of Health, Education, and Welfare promulgate\nregulations specifying performance standards and administrative procedures States must follow\nwhen conducting disability determinations. According to the Agency, Federal regulations 4 limit\nthe amount of guidance Federal agencies can require of DDS\xe2\x80\x99 personnel selection. The\nregulations allow States to adhere to applicable State-approved personnel standards in the\nselection, tenure, and compensation of any individual employed in the disability program.\n\n\n\n\n1\n    Pub. L. No. 83-761, 68 Stat. 1052.\n2\n Reorganization Plan No. 1 of 1953 established the Department of Health, Education, and Welfare. It was then re-\ndesignated the Department of Health and Human Services by Pub. L. No. 96-88, \xc2\xa7509, 93 Stat.688, 695, effective\nMay 4, 1980. Effective March 31, 1995, SSA was established as an independent agency by the Social Security\nIndependence and Program Improvements Act of 1994, Pub. L. No. 103-296, \xc2\xa7 101, 108 Stat. 1464, 1465.\n3\n    Social Security Disability Amendments of 1980, Pub. L. No. 96-265, 94 Stat. 441.\n4\n    20 C.F.R. \xc2\xa7\xc2\xa7 404.1621(b) and 416.1021(b).\n\n\n\n\nAccess to Social Security Administration Data at the DDSs (A-15-11-01127)                                          1\n\x0cThe function of disability determinations has remained with the States since the 1954 legislation.\nAll 50 States, plus the District of Columbia and Puerto Rico, have DDS locations. Some States\nhave multiple sites, for a total of 116 physical locations 5 as of August 3, 2012. 6 For the week\nended August 3, 2012, the DDSs had 16,143 full- and part-time employees.\n\nTo accomplish our objectives, we reviewed 14 State DDSs. These DDSs comprised\napproximately 52 percent of the Title II and XVI disability workloads nationwide and had\napproximately 7,967 full- and part-time employees 7 for the week ended August 3, 2012.\n\nSystems Access\nSSA\xe2\x80\x99s Systems Access Policy is contained in Chapter 2 of its Information Systems Security\nHandbook (ISSH). This Policy is based primarily on Office of Management and Budget Circular\nA-130 8 and National Institute of Standards and Technology Special Publication 800-53. 9\n\nSSA\xe2\x80\x99s systems access policy is built on the principles of least privilege 10 and need-to-know. 11\nControlling and limiting systems access to the Agency\xe2\x80\x99s information systems and resources is\nthe first line of defense in assuring the confidentiality, integrity, and availability of the Agency\xe2\x80\x99s\ninformation technology (IT) resources. 12 This policy applies to all SSA employees and other\nauthorized users, such as employees of other agencies, business partners, contractors, agents, and\nany other individuals operating on behalf of the Agency having direct access to and/or using\nSSA information system resources. 13\n\n\n\n5\n    This figure also includes administrative offices.\n6\n  For purposes of this audit, we are reporting on 52 DDSs, 1 per State plus the District of Columbia and Puerto Rico,\nregardless of how many DDS sites a State may have.\n7\n    This number does not include contractors for the DDSs.\n8\n Office of Management and Budget Circular A-130, Management of Federal Information Resources,\nNovember 28, 2000.\n9\n National Institute of Standards and Technology Special Publication 800-53, Recommended Security Controls for\nFederal Information Systems and Organizations, August 2009.\n10\n  The process of granting users only that access to applications and transaction screens they need to perform their\nofficial duties and of limiting their access to Agency information systems to specific applications and levels of\naccess based on their job functions.\n11\n  The legitimate requirement of a person or organization to know, access, or possess sensitive or classified\ninformation that is critical to the performance of an authorized, assigned mission. Approved access to Agency\ninformation systems is limited to specific applications and levels of access based on job function(s).\n12\n     SSA\xe2\x80\x99s ISSH, Systems Access Policy, Section 2.1, Purpose.\n13\n     SSA\xe2\x80\x99s ISSH, Systems Access Policy, Section 2.2, Scope.\n\n\n\nAccess to Social Security Administration Data at the DDSs (A-15-11-01127)                                             2\n\x0cAlthough the ISSH contains SSA\xe2\x80\x99s Systems Access Policy, the detailed policy and procedures\nfor the DDSs are contained in SSA\xe2\x80\x99s Program Operations Manual System (POMS).\n\nSSA uses Top Secret security software to provide a security access control for SSA systems.\nThis is achieved through the use of a personal identification number (PIN) that is unique to each\nindividual.\n\nThe profile is one of Top Secret\xe2\x80\x99s primary access control mechanisms. SSA develops most\nprofiles for specific job positions (positional profiles). Each profile contains a unique mix of\nfacilities and transactions that determines what access to systems resources each position needs.\nDDS staff members are also assigned functional profiles that augment selected employees\xe2\x80\x99\naccess when it is not desirable to change the positional profile.\n\nDDS employees, management and security officers prepare Form SSA-120, Application for\nAccess to SSA Systems, to request access to SSA systems. The DDS security officer then submits\nthe Form to the Center for Security and Integrity (CSI) in its SSA region for approval. A CSI\nSecurity Officer reviews and approves the request, issues a PIN, and notifies the DDS Security\nOfficer that the PIN has been issued.\n\nFor the DDSs in our review, the four most assigned positional profiles were Examiner, Clerical,\nMedical Consultant, and Single Decision Maker. All of these profiles allow individuals to search\nfor and view disability claim information in the client\xe2\x80\x99s SSA electronic folder. Three of the\nprofiles allow the ability to use the electronic case analysis tool to electronically sign/unsign\ndisability determinations and electronically submit case records to SSA. These profiles allow\naccess to personally identifiable information and should be monitored closely.\n\nPrior Audit Findings\nThe Fiscal Year 2011 financial statement audit conducted by Grant Thornton, LLP identified\nlogical access control weaknesses at the DDSs. Specifically, during one of the DDS site visits,\nGrant Thornton, LLP noted the removal of access for personnel separations was not conducted\ntimely. Grant Thornton, LLP also noted that there were no formally documented policies and\nprocedures regarding employees obtaining access to SSA systems. As part of this review, we\nconducted testing in these two areas to determine the extent of the issues.\n\nRESULTS OF REVIEW\nDDSs have a responsibility to safeguard sensitive SSA data entrusted to them and to ensure SSA\nand DDS systems are not compromised. We reviewed DDS employees\xe2\x80\x99 14 systems access at\n14 DDSs nationwide. Overall, our review determined that (1) DDS employees were granted\naccess that was not necessary to complete their job functions, (2) the removal of terminated\n\n\n14\n  For this review, we included all individuals (that is, employees and contractors) with systems access at the DDS.\nFor this report, employees will refer to both employees and contractors.\n\n\n\n\nAccess to Social Security Administration Data at the DDSs (A-15-11-01127)                                             3\n\x0cemployees\xe2\x80\x99 access was not executed timely, and (3) DDSs did not have formally documented\npolicies and procedures regarding employees obtaining access to SSA systems.\n\nDDS Employees Granted Unnecessary Access\nTo determine whether profiles assigned to DDS employees followed SSA\xe2\x80\x99s policy of least\nprivilege and need-to-know, we completed the following testing for each of the 14 DDSs.\n\n\xe2\x80\xa2      Compared a list of profiles provided by the Agency to all profiles assigned to all employees.\n\n\xe2\x80\xa2      Compared assigned profiles to the employees\xe2\x80\x99 job titles and descriptions for a sample of\n       employees.\n\n\xe2\x80\xa2      Reviewed the number of days profiles and PINs were unused for all employees.\n\nBased on our review, we found that profiles assigned to employees in some States were either\ninappropriate or not removed timely after the employees\xe2\x80\x99 job duties ceased. We also noted that\nmany employees had profiles that had been unused for extensive periods and therefore we\nbelieve the access was no longer necessary.\n\nProfiles Provided by the Agency Compared to DDS Profiles\nWe obtained a list of all profiles assigned to DDS employees from the Office of Disability\nDeterminations (ODD). We compared this list to all profiles assigned to employees in the\n14 DDSs to determine whether any profiles were inappropriately assigned. 15 Our comparison\nnoted several profiles that were assigned to DDS employees but were not included in the list\nODD provided. We requested explanations from the Agency to determine the appropriateness of\nthe profiles. Based on the Agency\xe2\x80\x99s response, we noted the following.\n\n\xe2\x80\xa2      In one region, a profile was assigned to one individual as a \xe2\x80\x9ctemporary work around\xe2\x80\x9d 16 and\n       had not been removed as of the time of our comparison.\n\n\xe2\x80\xa2      A Top Secret error automatically assigned the Performance Assessment and Communications\n       System profile 17 to employees.\n\n\xe2\x80\xa2      One user was assigned an inappropriate profile that the Agency stated had been removed.\n\n\n\n\n15\n This testing was not conducted on a person-by-person basis but a review of profiles assigned overall in the 14\nDDSs.\n16\n     A method used for achieving a task or goal when the usual or planned method isn\xe2\x80\x99t working.\n17\n     This profile was used for documenting performance assessments.\n\n\n\n\nAccess to Social Security Administration Data at the DDSs (A-15-11-01127)                                         4\n\x0c\xe2\x80\xa2   In one region, seven users had a profile that they no longer needed and therefore was\n    removed.\n\nBased on the principles of least privilege and need-to-know, DDS employees should only have\nthe access needed to complete their job functions. Additional access can lead to unauthorized\nentry into SSA\xe2\x80\x99s systems. DDS management should ensure that employee access is monitored\nand only the appropriate profiles are assigned.\n\nAssigned Profiles Compared to Job Titles and Descriptions\nWe reviewed a sample of 630 DDS employees (45 employees from each of the 14 DDSs) to\ndetermine whether the profiles assigned appeared reasonable based on the employees\xe2\x80\x99 job titles\nand descriptions. Based on our testing we found the following.\n\n\xe2\x80\xa2   Three States assigned profiles to six employees that were not appropriate for their job\n    functions.\n\n\xe2\x80\xa2   One State assigned both the Examiner and Clerical profiles to a secretary. The Examiner\n    profile was assigned in error and was discovered during an internal review. The individual\n    had both profiles inappropriately assigned for approximately 20 months before being\n    corrected.\n\n\xe2\x80\xa2   One State did not remove the Examiner profile once the individual\xe2\x80\x99s duties as an Examiner\n    ceased in December 2011. This error was caught and corrected in May 2012.\n\nFor one of the three States that assigned inappropriate profiles, a Systems Programmer was\nassigned the Clerical profile. The Clerical profile provides access to search and view disability\nclaim information in the client\xe2\x80\x99s SSA Electronic Folder and copy Electronic Folder images and\nexhibits to a compact disc. Therefore, the Systems Programmer had access to information that\nwas not needed to perform his/her job duties. As of October 2012, the Clerical profile had not\nbeen removed from this individual; however, the account was inactive.\n\nFor the second State, four individuals were assigned inappropriate profiles. One individual was a\nData Systems Coordinator, which involved developing word processing procedures and assisting\nothers with case processing and applications. This individual was assigned the Examiner profile,\nwhich allowed access to search and view disability claim information in the client\xe2\x80\x99s SSA\nElectronic Folder. This access was inappropriate for the individual\xe2\x80\x99s job duties. Another\nindividual was a Secretary but was assigned the Medical Consultant profile. The Medical\nConsultant profile gave this individual access to search and view disability claim information,\ncreate initial-level disability cases, and electronically sign/un-sign disability determinations and\nsend case records to SSA. The final two individuals were Disability Claims Supervisors but had\nExaminer profiles. According to the DDS, these individuals should have had the Supervisor\nprofile. Although the main function of the Examiner profile is included in the Supervisor profile,\nthe DDS should ensure that all individuals have the appropriate profiles.\n\n\n\n\nAccess to Social Security Administration Data at the DDSs (A-15-11-01127)                           5\n\x0cFor the third State, an Accounts Payable Contract Consultant was assigned the Case Control\nSupervisor profile in November 2003. This profile allowed the individual to search for and view\ndisability claim information in the client\xe2\x80\x99s SSA Electronic Folder, perform a supervisory\noverride in the Electronic Folder when the software stops a claim from being transferred, and\nunlock claims that were locked by users and copy Electronic Folder images and exhibits to a\ncompact disc. According to the DDS, this profile was assigned in error, and this individual\nshould have been given the Clerical profile. According to a Top Secret report, the Case Control\nSupervisor profile was not removed before the individual\xe2\x80\x99s employment ended in July 2011.\nTherefore, this employee was assigned additional access for over 7 years.\n\nNonuse of Profiles and PINs\nAdhering to the principles of least privilege and need to know helps reduce the risk of\ncompromising the confidentiality, integrity, or availability of SSA\xe2\x80\x99s IT resources. SSA uses its\ntriennial certification (TEC) process to enforce compliance with these access control principles.\n\nDuring the TEC process, managers review each of their employees\xe2\x80\x99 profiles and determine\nwhether the employees have only those profiles needed to do their jobs. If the managers\ndetermine an employee no longer needs a profile, they are supposed to instruct the security\nofficer to remove the profiles from the employees\xe2\x80\x99 PINs. According to the Agency, there is no\nspecific timeframe for determining whether a profile is needed based on the amount of time it\nhas been unused.\n\nTo examine the status of nonuse of profiles and PINs, we obtained an IT Resource Usage\nReport 18 as of April 15, 2011 19 from SSA\xe2\x80\x99s Office of Telecommunications and Systems\nOperations for all individuals at the 14 DDSs. 20 Since SSA did not have criteria for a number of\ndays of nonuse in which a profile is no longer needed, we reviewed industry standards to\ndetermine a reasonable number of days of nonuse before a profile should be removed.\nAccording to industry standards, 21 \xe2\x80\x9c. . . disabling user accounts after 60 or 90 days of inactivity\nmitigates danger of unauthorized access. Stale accounts are risky\xe2\x80\x94and unauthorized use of\n\n\n\n\n18\n  The eTrust Cleanup Report (IT Resource Usage Report) shows a profile\xe2\x80\x99s and PIN\xe2\x80\x99s last date of access. For any\nprofile or PIN, the report lists how many days have elapsed since the date of last usage (Days Unused column).\n19\n  During our initial review of the report, we noted several States that had individuals missing from the report.\nTherefore, updated reports were requested to ensure a complete population. We obtained the updated reports for one\nState as of July 28, 2011 and for four States as of September 15, 2011.\n20\n  We reviewed 9,785 individuals with an assigned PIN at the 14 DDSs. This total can include employees as well as\ncontractors that were assigned a PIN.\n21\n     NETIQ, Sarbanes-Oxley Section 404 Compliance for iSeries White Paper, July 21, 2004, page 3.\n\n\n\n\nAccess to Social Security Administration Data at the DDSs (A-15-11-01127)                                         6\n\x0cthese accounts could go unnoticed for a long time.\xe2\x80\x9d For our review, we identified DDS\nemployees with inactive profiles and PINs unused 22 over 120 days and over 365 days,\nrespectively. 23 Tables 1 and 2 summarize the results of our review.\n\n                                            Table 1: Inactive Profiles\n          Total Employees              Total Employees with a                   Total Employees with a\n             Reviewed              Profile(s) Unused for more than          Profile(s) Unused for more than\n                                               120 days                                 365 days\n                9,785                               512                                     709\n\n\nWe noted for all 14 DDSs, 512 employees (5 percent of all employees) had at least 1 profile that\nwas unused for over 120 days. For example, 1 State had 11 of 802 employees with profiles that\nwere unused over 120 days, which totaled 1.4 percent. We also found 1 State had 35 of 216 total\nemployees with unused profiles over 120 days, which totaled 16.2 percent.\n\nWe also noted about 7 percent, or 709 employees, had at least 1 profile that had not been used in\nover 365 days. For instance, we found that 5 States had over 10 percent of their employees with\nprofiles unused for more than 365 days. One of these States had 40 of its 216 (18.5 percent)\nemployees with at least 1 profile unused for over 365 days. Because of the length of time in\nwhich the profiles had not been used, it appears that they are not necessary for the employees to\ncomplete their job functions. The additional access increases the risk of claimant data being\naccessed inappropriately.\n\n                                            Table 2: Inactive PINs 24\n\n          Total Employees            Total Employees with PINs               Total Employees with PINs\n             Reviewed               Unused for more than 120 days           Unused for more than 365 days\n\n                9,785                               135                                     139\n\n\n\nPINs are assigned to each user to act as the user\xe2\x80\x99s \xe2\x80\x9cname\xe2\x80\x9d in the system. When a user signs into\nthe system, the date of access is captured in Top Secret. Based on our review of user PINs that\nhad been unused for a period of time, we noted that 135 (approximately 1 percent) of all DDS\nemployees from all 14 DDSs had not signed into their accounts in more than 120 days, and an\n\n\n22\n     The number of days unused for the PINs indicates how many days it has been since the user last signed on.\n23\n  Because an individual can be assigned a positional and several functional profiles, an employee may be included\nin more than one of the results tables.\n24\n     One State did not have any employees with PINs unused over 120 days.\n\n\n\n\nAccess to Social Security Administration Data at the DDSs (A-15-11-01127)                                           7\n\x0cadditional 139 (1 percent) had not signed onto their accounts in more than 365 days. For\ninstance, we noted 1 State had 12 employees (5.6 percent) that had not signed onto their accounts\nin over 120 days and an additional 13 (6 percent) that had not accessed their accounts in over\n365 days. DDSs need to ensure that inactive accounts are removed timely to reduce the risk of\ninappropriate access to claimant data. See Appendix C for a breakout of results for each State\ntested.\n\nTerminated Employees\nWe obtained a list of terminated employees from each of the 14 DDSs through April 2011 to\ndetermine whether the employees\xe2\x80\x99 access had been deactivated 25 timely from the date of\nseparation. 26 According to SSA policy, employees should be removed from the system\nimmediately when they are terminated or separated from the DDS. Although SSA policy states\nthat access should be removed immediately, we identified employees\xe2\x80\x99 accounts that were not\ndeactivated within 5 business days of the date of separation provided by the DDS. Table 3\nsummarizes the results of our review.\n\n              Table 3: Number of Days to Deactivate PINs for Terminated Employees\n        Number of Days from Employee                     Number of                Number of Employees\n       Separation to Deactivation of PIN                   States\n             6 business days to 30 days                        9                               56\n                   31 to 60 days                               9                               30\n                   61 to 90 days                               5                                9\n                   Over 90 days                               13                               91\n\nDuring our review of terminated employees, we also noted (1) accounts that had an inactive\nstatus 27 and had not been deactivated by the Security Officer, (2) accounts that were still active,\nand (3) temporary employees that left the DDS for a period of time and returned to work;\nhowever, access was either never deactivated or deactivated untimely. We contacted the DDSs\nto confirm that each of these individuals had been removed from the DDS. We also obtained\nupdated reports 28 to determine whether the employees\xe2\x80\x99 statuses had changed since the DDSs\nwere notified of the results.\n\n\n\n25\n  An account is deactivated when a user\xe2\x80\x99s access on the system is suspended, rendering the account useless for the\npurpose of gaining further systems access.\n26\n     We tested 424 terminated employees.\n27\n  According to the Agency, an account becomes inactive after 59 days of nonuse unless a Security Officer makes\nthe PIN inactive. If a PIN is inactive, a Security Officer has to reactivate it before it can be used to access the\nsystem.\n28\n  We obtained \xe2\x80\x9cHistory\xe2\x80\x9d reports from Top Secret to identify the status of the accounts and date on which the\naccount was deactivated.\n\n\n\nAccess to Social Security Administration Data at the DDSs (A-15-11-01127)                                             8\n\x0cAccounts with Inactive Status\nWe noted 5 States that had a total of 12 employees with an inactive status. According to the\nreport detail, there was no indication that these accounts had been deactivated. We provided the\nfive DDSs with the employee names to confirm they were actually separated from the DDS.\nAccording to all five DDSs, all of the employees had separated from the DDSs. We obtained\nupdated reports as of May and again in October 2012 to determine whether the status of these\naccounts had changed. Table 4 summarizes the results.\n\n             Table 4: Updated Status of Inactive Accounts as of May and October 2012\n\n                                                          As of May 2012                   As of October 2012\n     Updated Status of Inactive Accounts\n                                                 Number of         Number of         Number of        Number of\n                                                   States          Employees          States 29       Employees\n\n Accounts were deactivated but it was over            1                 2                 3               7\n   90 days since the date of separation\n\n\n     Accounts were still inactive and had not         4                 10                3               5\n     been deactivated by the Security Officer\n\n\nAccounts with Active Status\nWe noted 9 States with 56 employees who still had active accounts despite the DDSs stating they\nhad separated from the DDS. We provided the DDSs with the names of the employees to\nconfirm that they had actually separated from the DDS. According to all nine DDSs, all but one\nindividual had been separated from the DDSs. We obtained updated reports as of May and again\nin October 2012 to determine whether the status of these accounts had changed. Table 5\nsummarizes our results.\n\n\n\n\n29\n     One State had both employees that were deactivated and an employee that was still inactive.\n\n\n\n\nAccess to Social Security Administration Data at the DDSs (A-15-11-01127)                                         9\n\x0c            Table 5: Updated Status of Active Accounts as of May and October 2012\n\n     Updated Status of Active Accounts                  As of May 2012                  As of October 2012\n\n                                               Number of         Number of         Number of         Number of\n                                                 States          Employees           States          Employees\n\nAccounts were deactivated but it was 31 to          1                 1                 1                 1\n   60 days since the date of separation\n\nAccounts were deactivated but it was 61 to          1                 2                 1                 2\n   90 days since the date of separation\n\n Accounts were deactivated but it was over          9                43                 9                47\n   90 days since the date of separation\n\nAccounts were still active and had not been         4                 9                 1                 5\n   deactivated by the Security Officer\n\n\nFor the employees who still had an active status, we also obtained a report from Top Secret\nshowing specific detail of the PIN including the date it was last used. 30 We noted that for one\nemployee, the date the PIN was last used was after the date of separation provided by the DDS.\nFor this individual, the date of last use was in November 2010, and this employee left the DDS in\nAugust 2010. We provided this case to Headquarters for review on August 3, 2012. According\nto the Agency, systems staff used this PIN in troubleshooting workstation components and\napplications in the user group that allows login script customizations, rights/permissions,\nsoftware usage and performance and compact disc creation. When a PIN is not deactivated upon\nseparation and is allowed to be used by other staff, the Agency\xe2\x80\x99s data are at risk for individuals\nnot approved to access SSA systems.\n\nTemporary Employees\nDuring our inquiries with the DDSs, we noted several employees whom the DDSs stated had\nseparated but, upon further review, noted that they had returned to the DDS or transferred to\nanother DDS after a period of separation. We found for three States, four employees had\nseparated for a period of time or switched to another location; however, the PINs were not\ndeactivated during the period of separation. For example, one State had an employee who left\nthe DDS in September 2010. During our review of the Top Secret reports, we noted this\nindividual still had an active account. Based on follow up with the DDS, we were informed that\nthis employee returned in March 2011. According to the Top Secret report, this account was not\ndeactivated when the employee separated. For another State, the DDS stated the individual left\nthe DDS in March 2011. According to Top Secret, this account was not deactivated. Upon\n\n\n30\n  The last used field is populated by Top Secret whenever the user connects to the mainframe. It is updated upon a\nsuccessful login.\n\n\n\n\nAccess to Social Security Administration Data at the DDSs (A-15-11-01127)                                        10\n\x0cfurther discussion with the DDS, we were informed that the employee was working at a different\nDDS, and Top Secret was not updated to show the new location.\n\nWe also noted one State had two employees who left temporarily; however, the DDS did\ndeactivate the accounts when the employees left. We noted that one account was deactivated\n20 days after the date of separation, and one account was deactivated 45 days after the employee\nleft the DDS. DDSs need to ensure that all accounts are deactivated timely after an employee\nhas separated. When separated employees\xe2\x80\x99 systems access is not removed timely, they may have\ninappropriate access to SSA systems.\n\nProcedures for Deactivating and Deleting PINs\nWe noted that procedures the DDSs followed for deactivating PINs upon an employee\xe2\x80\x99s\nseparation were not consistent among DDSs. For instance, we found that Security Officers at\nDDSs in 11 States were responsible for deactivating the employee\xe2\x80\x99s access. However, the\nremaining three DDSs stated the regional office\xe2\x80\x99s CSI was responsible for deactivating the\naccounts. SSA policy states that DDS Security Officers are responsible for certain PIN\nmaintenance, such as discontinuing authorized systems access during an employee\xe2\x80\x99s departure.\nAlthough the policy says the DDS Security Officer should take action, it is not clear whether it is\nthe Security Officer\xe2\x80\x99s responsibility to actually deactivate the accounts or notify the regional\noffice CSI. Without a consistent policy in place for DDSs, accounts may not be deactivated\ntimely and therefore are at higher risk of inappropriate access to claimant data.\n\nWe also noted that there was no consistent process for deleting PINs once an employee separated\nfrom the DDS. According to the Agency, each region follows a different process for requesting\nan account be deleted from Top Secret. There is no required form that DDSs complete to request\nthe removal of access when an employee is terminated. Therefore, the accounts for employees\nwho have been terminated are not timely removed from Top Secret, leaving their access\nvulnerable to inappropriate use. Policy does not seem to be clear on who has the authority over\nthe process for deactivating and deleting accounts.\n\nDDS Documented Process\nTo ensure the DDSs had appropriate processes in place for requesting and approving access to\nSSA\xe2\x80\x99s systems, we requested the formal internal documentation from each DDS outlining the\nprocess. Nine of the DDSs could not provide formal internal documentation. Some States said\nemployees understood the process, and they received training on the process. Other States said\nthey relied on what SSA had documented either in POMS or on regional sites. According to\nSSA policy, each DDS must have a procedure that documents its users\xe2\x80\x99 access. Although POMS\nis not specific about whether the DDSs should formally document this process, having\nundocumented policies and procedures for accessing SSA systems may result in an ineffective\nmethod of reviewing the request for such access. This could lead to users obtaining or retaining\ninappropriate authorization to SSA systems and information.\n\n\n\n\nAccess to Social Security Administration Data at the DDSs (A-15-11-01127)                        11\n\x0cCONCLUSIONS\nControlling and limiting access to the Agency\xe2\x80\x99s information systems and resources is the first\nline of defense in ensuring the confidentiality, integrity, and availability of the Agency\xe2\x80\x99s\ninformation resources. Lack of adequate access controls compromises the completeness,\naccuracy, and validity of the information in the system.\n\nAlthough the Agency has controls in place, such as the TEC, we found that DDS employees\nwere granted unnecessary access. Specifically, we noted that DDS employees were assigned\nprofiles that were not appropriate for their job functions. We also found employees had profiles\nthat had not been used for an extended period of time. According to SSA policy, DDS\nmanagement must ensure that all user accounts are reviewed periodically and inactive accounts\nare disabled. Additional access can lead to unauthorized entry to the system.\n\nUpon an employee\xe2\x80\x99s separation, their access should be deactivated immediately. We noted DDS\nemployees who were separated from the DDS, and their access was not deactivated timely. For\ninstance, one DDS deactivated an employee\xe2\x80\x99s account 943 days after the employee had separated\nfrom the DDS. By not removing separated employees\xe2\x80\x99 system access timely, personnel may\nhave inappropriate access to SSA systems. A consistent process among DDSs for deactivating\naccess and requesting accounts to be deleted would help ensure access was removed timely.\nAccording to the Agency, each region followed a different process to request an account to be\ndeleted. The Agency should ensure a process is in place for all DDSs for deactivating and\ndeleting accounts.\n\nWe also found that DDSs did not have formally documented policies and procedures regarding\nemployees obtaining access to SSA systems. Undocumented policies and procedures detailing\nthe process to obtain access to SSA systems may result in an ineffective method to review\nrequests for such access. It could also lead to users retaining inappropriate authorization to SSA\nsystems and information.\n\nThe previous two issues were also identified during the Fiscal Year 2011 financial statement\naudit. As such, Grant Thornton, LLP made the following recommendations.\n\n\xe2\x80\xa2   DDS management should follow Agency established separation procedures and ensure the\n    timely removal of logical access for separated employees, and\n\n\xe2\x80\xa2   DDS management should document formal policies and procedures detailing the process for\n    obtaining local access to SSA systems.\n\n\n\n\nAccess to Social Security Administration Data at the DDSs (A-15-11-01127)                        12\n\x0cRECOMMENDATIONS\nThe Agency responded that it would issue a security reminder for the timely removal of access\nfor separated employees and investigate revising POMS for the documentation of policies and\nprocedures. Because these issues were previously identified and still ongoing, the Agency\nshould strengthen policy to ensure that systems access for DDS employees is monitored and\nmaintained properly. Therefore, we recommend SSA:\n\n1. Establish policy and guidelines that sets a threshold for profile nonuse and assigns\n   responsibility for removing nonuse profiles to DDS management.\n\n2. Establish monitoring tools to alert DDS management when nonuse profiles are in excess of\n   thresholds to ensure that proper action is taken timely.\n\n3. Establish a policy that assigns responsibility for deactivating and deleting DDS user accounts\n   and provide enforcement to ensure that access for separated employees and inactive user\n   accounts is removed or disabled timely.\n\n4. Establish policy that assigns responsibility to DDS management to document and enforce\n   access management procedures that comply with SSA\xe2\x80\x99s information security policy.\n\nAGENCY COMMENTS\nSSA agreed with the recommendations. See Appendix C for the Agency\xe2\x80\x99s Comments.\n\n\n\n\nAccess to Social Security Administration Data at the DDSs (A-15-11-01127)                       13\n\x0c                                        APPENDICES\n\n\n\n\nAccess to Social Security Administration Data at the DDSs (A-15-11-01127)\n\x0cAppendix A \xe2\x80\x93 SCOPE AND METHODOLOGY\nTo accomplish our objectives, we:\n\n\xe2\x80\xa2   Reviewed applicable Federal laws and regulations as well as SSA\xe2\x80\x99s policies and procedures\n    pertaining to DDS systems access.\n\n\xe2\x80\xa2   Requested and reviewed State policy for establishing and maintaining systems access from\n    each of the 14 DDSs.\n\n\xe2\x80\xa2   Obtained employee lists and assigned profiles from the Office of Telecommunications and\n    Systems Operations for the 14 State DDSs as of March 15, 2011.\n\n\xe2\x80\xa2   Requested job titles and descriptions for employee lists from each of the 14 State DDSs.\n\n\xe2\x80\xa2   Selected a random sample of 45 employees from each of the 14 State DDS employee listings\n    to compare the job title and description with the assigned profiles.\n\n\xe2\x80\xa2   Obtained the eTrust Cleanup Report as of April 15, 2011 for all employees from each of the\n    14 State DDSs.\n\n\xe2\x80\xa2   Requested a list of terminated employees including the date of termination through April\n    2011 from each of the 14 State DDSs.\n\n\xe2\x80\xa2   Obtained History reports from the Top Secret system for each of the terminated employees\n    from all 14 State DDSs.\n\nWe determined that the computerized data used during our review were sufficiently reliable\ngiven our objectives, and the intended use of the data should not lead to incorrect or\nunintentional conclusions.\n\nWe performed our fieldwork at Headquarters in Baltimore, Maryland, from September 2011\nthrough September 2012. We conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for findings and\nconclusions based on our audit objectives. We believe the evidence obtained provides a\nreasonable basis for our findings and conclusion based on our audit objectives.\n\n\n\n\nAccess to Social Security Administration Data at the DDSs (A-15-11-01127)                      A-1\n\x0cAppendix B \xe2\x80\x93 INACTIVE PROFILES AND PINS PER STATE\n                                 Number of             Number of              Number of        Number of\n            Total number       Employees with        Employees with         Employees with   Employees with\n State\n            of Employees       Profiles Unused       Profiles Unused         PINs Unused      PINs Unused\n                                over 120 days         over 365 days          over 120 days    over 365 days\n   1             86                   5                    11                     0                2\n\n   2             401                  23                   61                     3                1\n\n   3            1,150                 28                   61                    10               15\n\n   4             451                  39                   51                    12               15\n\n   5             279                  7                     5                     4                1\n\n   6             802                  11                    9                     2                1\n\n   7             701                  23                   63                     4               12\n\n   8            1,392                 70                   52                    29               17\n\n   9             767                  50                   137                   11               11\n\n  10             432                  9                    37                     3                5\n\n  11            1,113                 27                   47                     2                6\n\n  12             216                  35                   40                    12               13\n\n  13             215                  18                   16                     6                1\n\n  14            1,780                167                   119                   37               39\n\n\n\n\nAccess to Social Security Administration Data at the DDSs (A-15-11-01127)                              B-1\n\x0c           Appendix C \xe2\x80\x93 AGENCY COMMENTS\n\n\n\n\n                                             SOCIAL SECURITY\nMEMORANDUM\n\n\nDate:      January 7, 2013                                                             Refer To:   S1J-3\n\nTo:        Patrick P. O\xe2\x80\x99Carroll, Jr.\n           Inspector General\n\nFrom:      Dean S. Landis /s/\n           Deputy Chief of Staff\n\nSubject:   Office of the Inspector General Draft Report, \xe2\x80\x9cAccess to Social Security Administration Data at\n           the Disability Determination Services\xe2\x80\x9d (A-15-11-01127)--INFORMATION\n\n           Thank you for the opportunity to review the draft report. Please see our attached comments.\n\n           Please let me know if we can be of further assistance. You may direct staff inquiries to\n           Amy Thompson at (410) 966-0569.\n\n\n\n\n           Access to Social Security Administration Data at the DDSs (A-15-11-01127)                       C-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL DRAFT REPORT,\n"Access to Social Security Administration Data at the Disability Determination Services"\n(A-15-11-01127)\n\nRecommendation 1\n\nEstablish policy and guidelines that sets a threshold for profile nonuse and assigns responsibility\nfor removing nonuse profiles to DDS management.\n\nResponse\n\nWe agree.\n\nRecommendation 2\n\nEstablish monitoring tools to alert DDS management when nonuse profiles are in excess of\nthresholds to ensure that proper action is taken timely.\n\nResponse\n\nWe agree.\n\nRecommendation 3\n\nEstablish a policy that assigns responsibility for deactivating and deleting DDS user accounts\nand provide enforcement to ensure that access for separated employees and inactive user\naccounts is removed or disabled timely.\n\nResponse\n\nWe agree.\n\nRecommendation 4\n\nEstablish policy that assigns responsibility to DDS management to document and enforce access\nmanagement procedures that comply with SSA\xe2\x80\x99s information security policy.\n\nResponse\n\nWe agree.\n\n\n\n\nAccess to Social Security Administration Data at the DDSs (A-15-11-01127)                        C-2\n\x0cAppendix D \xe2\x80\x93 MAJOR CONTRIBUTORS\n    Victoria Vetter, Director, Financial Audit Division\n\n    Judith Kammer, Audit Manager, Financial Audit Division\n\n    Kelly Stankus, Senior Auditor\n\n\n\n\nAccess to Social Security Administration Data at the DDSs (A-15-11-01127)   D-1\n\x0c                                           MISSION\nBy conducting independent and objective audits, evaluations, and investigations, the Office of\nthe Inspector General (OIG) inspires public confidence in the integrity and security of the Social\nSecurity Administration\xe2\x80\x99s (SSA) programs and operations and protects them against fraud,\nwaste, and abuse. We provide timely, useful, and reliable information and advice to\nAdministration officials, Congress, and the public.\n\n\n                                   CONNECT WITH US\nThe OIG Website (http://oig.ssa.gov/) gives you access to a wealth of information about OIG.\nOn our Website, you can report fraud as well as find the following.\n   \xe2\x80\xa2   OIG news                                  In addition, we provide these avenues of\n   \xe2\x80\xa2   audit reports\n                                                 communication through our social media\n                                                 channels.\n   \xe2\x80\xa2   investigative summaries\n   \xe2\x80\xa2   Semiannual Reports to Congress                Watch us on YouTube\n   \xe2\x80\xa2   fraud advisories                              Like us on Facebook\n   \xe2\x80\xa2   press releases\n                                                     Follow us on Twitter\n   \xe2\x80\xa2   congressional testimony\n   \xe2\x80\xa2   an interactive blog, \xe2\x80\x9cBeyond The              Subscribe to our RSS feeds or email updates\n       Numbers\xe2\x80\x9d where we welcome your\n       comments\n\n\n                          OBTAIN COPIES OF AUDIT REPORTS\nTo obtain copies of our reports, visit our Website at http://oig.ssa.gov/audits-and-\ninvestigations/audit-reports/all. For notification of newly released reports, sign up for e-updates\nat http://oig.ssa.gov/e-updates.\n\n\n                          REPORT FRAUD, WASTE, AND ABUSE\nTo report fraud, waste, and abuse, contact the Office of the Inspector General via\n   Website:        http://oig.ssa.gov/report-fraud-waste-or-abuse\n   Mail:           Social Security Fraud Hotline\n                   P.O. Box 17785\n                   Baltimore, Maryland 21235\n   FAX:            410-597-0118\n   Telephone:      1-800-269-0271 from 10:00 a.m. to 4:00 p.m. Eastern Standard Time\n   TTY:            1-866-501-2101 for the deaf or hard of hearing\n\x0c'